Remove agentAuth #692

deepfence_agent/Dockerfile

@@ -42,7 +42,6 @@ COPY tools/apache/fluentbit/* /etc/td-agent-bit/
 
 # Copy fluentbit plugin
 COPY tools/apache/fluentbit/out_deepfence/out_deepfence.so /opt/td-agent-bit/bin/
-COPY tools/apache/deepfence/df-utils/agent_auth/agentAuth /usr/local/bin/agentAuth
 COPY tools/apache/deepfence/df-utils/get_cloud_instance_id/getCloudInstanceId /usr/local/bin/getCloudInstanceId
 COPY etc/fenced_logrotate.conf /etc/logrotate.d/fenced_logrotate.conf
 COPY etc/certs/* /etc/filebeat/
@@ -73,7 +72,7 @@ RUN mkdir -p /home/deepfence/bin/yara-hunter \
     && apt-get update --allow-insecure-repositories \
     && apt-get -qq -y --no-install-recommends install libjansson4 libssl1.1 libmagic1 bash curl python3-pip \
     && rm -rf /usr/local/bin/compliance_check/*.go \
-    && chmod 700 /usr/local/bin/agentAuth /usr/local/bin/getCloudInstanceId \
+    && chmod 700 /usr/local/bin/getCloudInstanceId \
     && chmod 700 /usr/local/discovery/deepfence-discovery /home/deepfence/run_discovery.sh \
     && chmod +x /home/deepfence/*.sh \
     && chmod 600 /etc/td-agent-bit/* \

deepfence_agent/Makefile

@@ -30,9 +30,6 @@ all:: gocode
 gocode:
 	# go build -o tools/apache/licensegen/licensegen tools/apache/licensegen/licensegen.go
 
-	echo "Building agent authenticator..."
-	$(CD) tools/apache/deepfence/df-utils/agent_auth && go mod tidy -v && go mod vendor && env CGO_ENABLED=0 go build -o agentAuth $(GOFLAGS) .
-
 	echo "Building go binary for cloud metadata instance id..."
 	$(CD) tools/apache/deepfence/df-utils/get_cloud_instance_id && env CGO_ENABLED=0 go build -o getCloudInstanceId $(GOFLAGS) .
 
@@ -42,6 +39,5 @@ gocode:
 install:
 
 clean:
-	$(RM) tools/apache/deepfence/df-utils/agentAuth
 	$(RM) tools/apache/deepfence/df-utils/getCloudInstanceId
 	cd tools/apache/scope && make realclean

deepfence_agent/fargate/Dockerfile.scratch

@@ -26,7 +26,6 @@ COPY tools/apache/scope/docker/uploadFile.sh deepfence/home/deepfence/uploadFile
 
 ADD fargate/misc/scanners-1.3.0.tar.gz /deepfence/home/deepfence/
 
-COPY misc/deepfence/df-utils/agent_auth/agentAuth /deepfence/usr/local/bin/agentAuth
 COPY misc/deepfence/df-utils/get_cloud_instance_id/getCloudInstanceId /deepfence/usr/local/bin/getCloudInstanceId
 COPY tools/apache/scope/docker/deepfenceutil /deepfence/usr/bin/deepfenceutil
 

deepfence_agent/fargate/start-df-services.sh

@@ -64,18 +64,6 @@ launch_discovery() {
   bash -x $DF_INSTALL_DIR/home/deepfence/run_discovery_loop.sh &
 }
 
-check_auth() {
-  $DF_INSTALL_DIR/usr/local/bin/agentAuth
-  auth_result=$?
-  if [ $auth_result -ne 0 ]; then
-    echo "Error: Agent exited. If agent authentication is enabled, check if correct deepfence key is passed."
-    sleep 30
-    exit 1
-  else
-    echo "Agent authentication successful."
-  fi
-}
-
 launch_package_scanner() {
   echo "Launching package-scanner grpc server"
   bash -x -c "rm -rf /tmp/package-scanner.sock && $DF_INSTALL_DIR/home/deepfence/package-scanner -socket-path /tmp/package-scanner.sock -mode grpc-server" &
@@ -99,7 +87,6 @@ mkdir -p $DF_INSTALL_DIR/var/log/fenced/
 chmod +x $DF_INSTALL_DIR/home/deepfence/*.sh
 
 echo "Start Deepfence services... Console is $MGMT_CONSOLE_URL"
-check_auth
 launch_package_scanner
 
 echo "Starting discovery logs..." >>$DF_INSTALL_DIR/var/log/fenced/discovery.logfile

deepfence_agent/start_serverless_services.sh

@@ -71,14 +71,6 @@ launch_system_services() {
 
 launch_deepfenced() {
 
-    echo "Start agent authentication..."
-    /usr/local/bin/agentAuth
-    auth_result=$?
-    if [ $auth_result -ne 0 ]; then
-        echo "Error: Agent exited. If agent authentication is enabled, check if correct deepfence key is passed."
-        sleep 30
-        exit 1
-    fi
     if [ "$FEATURE" == "appsec" ]; then
         # In k8s, if agent pod restarts these files are not cleared
         rm -rf /var/log/fenced/* 2>/dev/null

deepfence_agent/tools/apache/scope/probe/appclient/openapi_client.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
-	"log"
 	"net"
 	"net/http"
 	"net/url"
@@ -21,13 +21,17 @@ import (
 )
 
 type OpenapiClient struct {
-	client      *openapi.APIClient
+	client *openapi.APIClient
 }
 
 const (
 	maxIdleConnsPerHost = 1024
 )
 
+var (
+	AuthError = errors.New("Authentication error")
+)
+
 func buildHttpClient() *http.Client {
 	// Set up our own certificate pool
 	tlsConfig := &tls.Config{RootCAs: x509.NewCertPool(), InsecureSkipVerify: true}
@@ -43,23 +47,20 @@ func buildHttpClient() *http.Client {
 	return client
 }
 
-func NewOpenapiClient() *OpenapiClient {
+func NewOpenapiClient() (*OpenapiClient, error) {
 
 	url := os.Getenv("MGMT_CONSOLE_URL")
 	if url == "" {
-		log.Println("MGMT_CONSOLE_URL not set")
-		return nil
+		return nil, errors.New("MGMT_CONSOLE_URL not set")
 	}
 	port := os.Getenv("MGMT_CONSOLE_PORT")
 	if port == "" {
-		log.Println("MGMT_CONSOLE_URL not set")
-		return nil
+		return nil, errors.New("MGMT_CONSOLE_PORT not set")
 	}
 
 	api_token := os.Getenv("DEEPFENCE_KEY")
 	if port == "" {
-		log.Println("MGMT_CONSOLE_URL not set")
-		return nil
+		return nil, errors.New("DEEPFENCE_KEY not set")
 	}
 
 	cfg := openapi.NewConfiguration()
@@ -76,21 +77,19 @@ func NewOpenapiClient() *OpenapiClient {
 	})
 	res, _, err := cl.AuthenticationApi.AuthTokenExecute(req)
 	if err != nil {
-		log.Printf("Auth error: %v\n", err)
-		return nil
+		return nil, AuthError
 	}
 
 	accessToken := res.GetData().AccessToken
 	if accessToken == nil {
-		log.Println("Auth token nil: failed to authenticate")
-		return nil
+		return nil, AuthError
 	}
 
 	cl.GetConfig().AddDefaultHeader("Authorization", fmt.Sprintf("Bearer %v", *accessToken))
 
 	return &OpenapiClient{
-		client:      cl,
-	}
+		client: cl,
+	}, nil
 }
 
 // PipeClose implements MultiAppClient

deepfence_agent/tools/apache/scope/prog/main.go

@@ -496,7 +496,6 @@ func main() {
 	switch flags.mode {
 	case "app":
 		fmt.Println("app is deprecated")
-		//appMain(flags.app)
 	case "probe":
 		probeMain(flags.probe, targets)
 	case "version":

deepfence_agent/tools/apache/scope/prog/probe.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"errors"
 	"math/rand"
 	"net/http"
 	_ "net/http/pprof"
@@ -241,7 +242,17 @@ func probeMain(flags probeFlags, targets []appclient.Target) {
 			controls.DummyPipeClient
 		})
 	} else {
-		multiClients := appclient.NewOpenapiClient() //appclient.NewMultiAppClient(clientFactory, flags.noControls)
+		var multiClients *appclient.OpenapiClient
+		for {
+			multiClients, err = appclient.NewOpenapiClient()
+			if err == nil {
+				break
+			} else if errors.Is(err, appclient.AuthError) {
+				time.Sleep(time.Second * 10)
+			} else {
+				log.Fatalf("Fatal: %v", err)
+			}
+		}
 		defer multiClients.Stop()
 
 		//dnsLookupFn := net.LookupIP

deepfence_server/handler/agent_report.go

@@ -108,7 +108,9 @@ func (h *Handler) IngestAgentReport(w http.ResponseWriter, r *http.Request) {
 		nodeId = v.ID
 	}
 	nodeId = strings.Split(nodeId, ";")[0]
-	log.Warn().Msgf("NodeId: %v", nodeId)
+	if len(rpt.Host.Nodes) != 1 {
+		log.Warn().Msgf("Multiple NodeId foudn, taking: %v", nodeId)
+	}
 
 	actions, err := controls.GetAgentActions(ctx, nodeId)
 	if err != nil {

deepfence_server/handler/user.go

@@ -4,15 +4,16 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/http"
+	"reflect"
+
 	"github.com/deepfence/ThreatMapper/deepfence_server/model"
 	"github.com/deepfence/ThreatMapper/deepfence_utils/directory"
 	"github.com/deepfence/ThreatMapper/deepfence_utils/log"
 	postgresql_db "github.com/deepfence/ThreatMapper/deepfence_utils/postgresql/postgresql-db"
 	"github.com/deepfence/ThreatMapper/deepfence_utils/utils"
 	"github.com/go-chi/jwtauth/v5"
 	httpext "github.com/go-playground/pkg/v5/net/http"
-	"net/http"
-	"reflect"
 )
 
 const (
@@ -68,7 +69,7 @@ func (h *Handler) RegisterUser(w http.ResponseWriter, r *http.Request) {
 	c := model.Company{
 		Name:        registerRequest.Company,
 		EmailDomain: emailDomain,
-		Namespace:   DefaultNamespace,
+		Namespace:   DefaultNamespace, //TODO: SaaS namespace
 	}
 	company, err := c.Create(ctx, pgClient)
 	if err != nil {